On 10/01/2025 05:31, Andrew C Aitchison via Exim-users wrote:
In that case, can and should we make exim-as-client report why it rejected the server's certificate in the main log ?
The operational problem would then become the amount of cruft in the log, were every possible item of information recorded (*) Indeed, how would "every possible item" be enumerated? On the development side, although adding this one item wouldn't be hard under GnuTLS (having had it pointed out), we'd then want feature parity under OpenSSL which would take dev time. And we'd have to update the testsuite, and worry over variant library versions. Then the LibreSSL guys would weigh in. That dev time gets repeated for every additional item, and would mount up rapidly. So, where is the line to be drawn? There's an argument that goes "we have controllability but lack observability on this feature (cert-name checking)". We do have the tls:cert event, $tls_out_peercert and the certextract expansion item, but those won't be obvious for a naive user. -- Cheers, Jeremy *) Now wait for suggestions of more controls over what gets logged -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
